Wednesday, May 9, 2012

The security blanket blues

Briefly before the main piece, it seems that Fx 12 was not one of Mozilla's finer moments. Besides our broken web fonts, which was an endianness issue introduced by Google and picked up by Mozilla downstream, there was a rather nasty regression in JavaScript causing many scripts to run incorrectly and several other QA issues. I am hoping Mozilla fixes these in the 13 cycle, but many of the important fixes have not landed yet. It may be even later than beta 3, but that's when I plan to start the port regardless.

Also, Mozilla changed the login system for Builder.AMO, on which the QuickTime Enabler was stored, and now I can't get back in. I can recover the code, but this sucks, and we may need to rebuild against a new Add-on SDK anyway due to memory improvements landed for Fx15. So, for the time being, the QTE will remain at the same version for the lifetime of 10, and I will work on rebuilding it in the Fx15 timeframe against the new SDK.

Anyway, security.
A recent piece in Computerworld gives the chilling statistic that half of all Macs will no longer be receiving security updates by this summer, assuming that Apple continues their current trend of ending security updates for version n-0.2 when version n comes out (so 10.6 ended updates for 10.4; 10.7 ended them for 10.5; 10.8 will end them for 10.6). Considering Microsoft is still supporting Windows XP, admittedly unwillingly, this seems pretty lousy behaviour.

In particular, this thinly disguised attempt at maximizing hardware sales screws those Intel Macs that can't be updated to 10.7 (or those of us that realize the utter trainwreck that is Lion and/or still need Rosetta), but in PowerPC land, even if Tim Cook grew the conscience for his userbase his predecessor never had, we can assume Apple doesn't give a flying cancerous pancreas about us. PPC is dead technology to Cupertino and that's that.

Because one of the goals for TenFourFox is security -- and security is the goal for Classilla, which if I grow an extra pair of hands might allow me to complete the security audit by the American Tricentennial -- I think it's worth a blog post to talk about exactly what security issues Power Mac users face. Both 10.4 and 10.5 are equally unsupported now and they won't ever be again (I intentionally won't talk about 10.1-10.3 here; there are very few good reasons for New World Macs not to be on at least 10.4, and beige Macs are better off in OS 9). If you are like me and believe it is not unreasonable to expect a long life out of your computer, then you'd better be prepared to do the legwork to keep it safe. Not only is a compromised computer a risk to you and your data, it can also be a source of misery for people on your network. At my normal workplace we are wrestling with a worm preying on the local Exchange server to pump out spam, and it all came from someone incautiously loading drive-by malware onto their office PC from some link they clicked. Moreover, while no PowerPC machines were known to be exploited by the recent Flashback worm, our previous analysis shows that the flaw was real; it's just that the actual payload was Intel-only, so it could not run even though it was possible to gain the privileges it would have required to be successful.

Surprisingly, the biggest improvement to our current security situation comes from, of all companies, Apple themselves. Believe it or not, One Infinite Loop is doing us a big (unintended?) solid by dropping PowerPC support like a hot potato. Xcode 4, which is the most current major version, does not support the 10.4 and 10.5 SDKs, and although it can be coerced with some difficulty into building x86 and x86_64 binaries for them, it won't build PowerPC code at all. To make a PowerPC binary, you must explicitly use Xcode 3, which won't run on 10.7 or any later version of OS X. Furthermore, to make a PowerPC binary that can run on 10.4, you must use Xcode 3 and explicitly link against the 10.4 SDK and build Universal or PPC, none of happens by default (heck, for that matter, linking against the 10.5 SDK is not by default either). Making malware that runs on a Power Mac will get harder and harder as the user base slowly dwindles, and this doesn't seem like much payoff for the typical money-grubbing phisher. I doubt Apple did this out of love and affection for us, but it is an unexpected benefit.

Most attacks nowadays won't work on Power Macs, anyway. A buffer overflow or stacksmash or other kind of specific low-level code attack requires that the malicious code written by the attacker be built in PowerPC machine language. Relatively few existed during the Power Mac's reign, almost all of them dating from pre-OS X days, and they all but disappeared after the 2006 Intel debacle transition when attackers moved to the much more familiar x86 architecture. Any attack that requires the processor to execute malicious code directly must be in PPC machine code; if it's in x86, it'll merely crash. The security elite reading this entry will immediately dismiss the rest of it as an appeal to "security by obscurity," and I entirely concur. But when the primary motivation of most attacks today is monetary, obscure just doesn't make enough dough. Laziness and the profit motive are the noblest goals. ;)

We do have to worry about cross-platform attacks, however, and there are no shortage of those. The Flashback worm was one example: by allowing Java to escalate privileges, anything could have been in that payload -- if it had been another Java-based executable, say, then the worm would have been able to run on Power Macs, and we'd be just as shot. Flash has been used as a cross-platform attack vector, as have the scripting capabilities of Adobe Acrobat Reader, and macro viruses in Word. And, of course, your Virtual PC instance is just as susceptible to a virus as the real thing if you run an unpatched version of Windows in it. Plus, a trojan written in a cross-platform language like Python, Java, Perl or whatnot will probably alarmingly run just fine on a Power Mac. These attacks are particularly dangerous because they hit us just as easily as the PCs and Intel Macs they are targetted at, even though we weren't the actual target (we're just gravy on the cake, or something).

Similarly, you need to make sure the browser you are using doesn't leak data and helps to insulate you against running insecure code. But you're using TenFourFox, so you already have an updated browser that doesn't run insecure plugins. Right? Right.

Security issues with what comes with OS X

Built-in networking: Enable the built-in firewall, and, if you can, enable stealth mode and disable UDP from System Preferences. Some applications require UDP, but see if you can work without it. Using a hardware firewall is even better. There are some potential exploits with the network-accessible components of 10.4 and 10.5, and simply preventing access to them is probably the best approach. If you intend to use Apache or some other server software with your Power Mac, probably better just to install Linux PPC and use that except if you are serving to an internal, trusted network.

QuickTime: There are PPC-based exploits for certain codecs in QuickTime, though none of these are known to be circulating now, and no specific PPC-based exploit for QT 7+. (While QT 6.0.3 in Classic is technically vulnerable, the limitations of OS 9 make the exploit difficult and it would have to be specific to both OS 9 and PowerPC.) It is possible for QuickTime playlists and certain other kinds of scriptable content to be used to load data over the network, but they can be only interacted with in limited ways, and to actually use them for executable data would require a PPC-compatible attack. An attack designed for Intel Macs wouldn't work.

Preview.app: Preview.app and the built-in image and PDF viewer libraries do have known holes, but no known PowerPC-based exploits. The built-in PDF toolkit doesn't understand JavaScript in PDF files or embedded Flash, and as a result is much safer than using the real Adobe Acrobat Reader (which you should really only use for protected documents). This TidBITS article says it all, really. Eventually TenFourFox will have the pdf.js extension when Firefox gets it, but it's slow even on supported Firefox systems, so Preview is still going to render much service for most people.

Java: Just don't. If you use TenFourFox, it is disabled by default; otherwise, disable and destroy the Java plugin if it exists. Java is no longer safe on Power Macs.

Mail.app: There are probably multiple specific ways to attack this application, mostly by blended attacks on the individual components such as the image viewer, etc. (and see below about Webkit). However, almost all of them would require PowerPC-specific code. That said, with Tenfourbird available, why take the risk?

Safari.app and system WebKit: oh gawd no. But here's something you might not have thought of: applications that use the built-in system WebKit components to view HTML are just as vulnerable to attack as Safari. This includes, notably, iCab 4 (but not 3), and many RIA-based applications. However, it does not include OmniWeb, which has its own updated WebKit, nor Tobias' leopard-webkit, of course.

Security issues with common applications

Adobe Flash: I think I've already voiced my objections to Flash. At least one cross-platform worm was created with Flash to attack local networks, and there will be others. Because it is scriptable, many malicious tasks can be executed on a Power Mac. If you use TenFourFox, it and other plugins are disabled; otherwise, disable and destroy the Flash plugin if it exists. For the doubters in the audience: I have not used Flash since TenFourFox 6 disabled plugins last year. I mean it.

Adobe Acrobat: Acrobat allows embedded Flash and JavaScript, which also makes it a scriptable cross-platform target. The only thing you should use Acrobat for is creating PDFs, and protected documents. Otherwise, make sure your PDFs open by default in Preview. Do not use the Acrobat plugin.

Microsoft Office: Office has a number of exploitable holes through macro viruses. For Word, I can think of few reasons you would want macros enabled, but this is a real problem with Excel. v.X and 98 in Classic are probably too old to be effectively pwned, but many macro attacks against 2004 will run on Power Macs, and the Open XML Converter can be attacked in some of the same ways. Fortunately, Microsoft has been kinder to us Power Mac users than Apple has, and you can get updates for all of these issues from Mactopia. Office 2008 is much less susceptible than 2004, but this is because it lacks VBA altogether (greatly limiting its utility), and it is noticeably slower than 2004 or v.X. iWork does not seem to suffer from any of these issues, nor does dear old AppleWorks, so those are safe alternatives. OpenOffice and NeoOffice also get regular updates.

Microsoft Virtual PC (and other PC emulators): This depends greatly on what you run. Remember that a virtual machine installation of Windows can be just as hosed as a real installation. Some Linuces will still run in VPC (I used to use Knoppix). Otherwise, stick to Windows XP and patch patch patch, and/or take advantage of disabling networking or enabling bridged mode.

We need to be realistic and realize our dear Power Macs are not absolutely invulnerable, but we can make them practically so. While I respect those who run Linux on their Macs, for me I need Classic compatibility and the ability to run the apps I've paid good money for over the years (part of what also keeps me from switching to Intel, besides my general bigotry against x86 ISA), and there is no substitute for 10.4 or to a lesser extent 10.5. I run my Macs behind a hardware firewall and I practice what I preach in software. If we're judicious, careful and methodical, we can be nearly as functional as anyone else on the hardware we paid good money for and faithfully maintain.

By the way, I detest the new Blogger. It's slow, and trying to send a complaint about it being slow was even freaking slower. I don't enjoy upgrades for upgrades' sake, and Google is great at this kind of self-gratifying nonsense. Let's hope they forget about Google Code so that it doesn't get "upgraded" either.

I agree, am very disappointed with Apple's continued push to newer tech, even if it's not warranted by the user.

I am currently running Lion on my MBP, and when I get around to upgrading the HDD, I'm switching back to Snow Leopard.

If these continued pushes to change tech continues, I may end up going back to Windows. The high usage of MS products by business force Microsoft's hand, unlike the relatively small use of Macs in the business world.

I think people who're really screwed are the ones running Snow Leopard on Intel Macs that can't be upgraded. First, in 2006/07, they were the beta testers for Apple's unreliable new Intel hardware. And now payloads *will* run on their systems, and sooner or later they won't receive security updates from Apple anymore.

Xcode 4+ not supporting PPC is really due to lack of attention upstream with the llvm/clang folks. I've been building llvm/clang on svn trunk on powerpc-darwin8 for several months, and there are still numerous issues needed to get a working compiler. My progress is tracked at:

http://www.csl.cornell.edu/~fang/sw/llvm/

If anyone is interested and has bandwidth to help out, I'd be forever grateful (along with other PPC enthusiasts). I think success on this front would help keep PPC/darwin8 alive.

Hey guys, wondered if you could take a look at my question http://tenfourfox.blogspot.de/2012/04/120-available-1004-to-follow.html posted it there because it was about TenFourBird 12 but I guess it might not be seen as it is an older blog post (not sure if you get notifications of comments on them). Thx!

@Delu, Tenfourbird probably inherits some of our irregularities about language packs. You can look at issue 42 in Google Code for some of the changes that need to be made. However, it is entirely possible that our illustrious anonymous builder in the land of the Rising Sun has made other changes which need to be accounted for. You might ask on the Tenfourbird Sourceforge page.

In an unprecedented move (as far as I can remember), Apple has released a version of their Flashback Trojan cleanup utility, as well as their automatic-Java-disabling secuirty update, for Intel-based OS X 10.5 users.

They did not release these updates for PowerPC-based OS X 10.5 users.

But this is evidence that, if the threat is perceived as significant enough, Apple will make some momentary diversions from their typical pattern of prematurely dropping support for some of their not-so-old machines.